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ABSTRACT 


DoD has become increasingly dependent upon storing its sensitive informa- 
tion in electronic form and has a deep concern for the integrity and privacy of 
this valuable information. In the recent aftermath of numerous electronic 
break-ins, the DoD continues to express anxiety over technically weak system 
administrators" inability to protect sensitive electronic information. 


The solution to minimizing these electronic intrusions and bolstering 
computer security in DoD is to educate military officers and federal civilians 
in the methods of computer security. This can be accomplished by integrating 
concepts and problem solving techniques related to computer security into the 
Information Technology Management (370) Curriculum at the Naval 
Postgraduate School. 
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I. INTRODUCTION 


A. RATIONALE AND PURPOSE OF THESIS 


In 1986, Cliff Stoll, an astronomer-turned-system administrator at 
Lawrence Berkeley Laboratory, attracted international attention by tracing a 
75 cent computer system accounting error to a West German hacker stealing 
military documents and selling them to the KGB. Although the hacker was not 
a brilliant programmer, he was persistent. By exploiting security deficiencies 
in operating systems, lax password security, and poor system management, 
the hacker managed to attack over 450 computers attached to MILNET, 
successfully penetrating 30. The hacker persistently attacked computers 
located at military bases, defense contractors, and universities, searching files 
for keywords like KH-11, SDI, and NUCLEAR. [Ref. 1] 

On the evening of November 2, 1988, Robert T. Morris, a Cornell 
graduate student unleashed a worm on the Internet. Within hours 
approximately 3,000 Sun and VAX workstations running variants of the 
Berkeley Standard Distribution 4.3 UNIX operating system fell victim to the 
worm. Although the worm, innocuous in the sense that it did not destroy files 
or alter information, did however propagate uncontrollably, overwhelming 
system resources. [Ref. 2] 

Between April 1990 and May 1991, foreign hackers penetrated 34 
Department of Defense (DoD) computers including one system that directly 
supported Operation Desert Shield / Storm. The hackers gained access to 
sensitive military computers by exploiting well known flaws in operating 
systems, weaknesses in the Trivial File Transfer Protocol (TFTP) and 


accounts with easily guessed passwords. [Ref. 3] 


DoD has become increasingly dependent upon storing its "sensitive 
information" in electronic form and naturally there 1s a deep concern for the 
integrity and privacy of this valuable information. In the aftermath of 
numerous electronic intrusions, many questions have been raised regarding 
the lack of computer security and the abundance of computer system 
vulnerabilities. 

One predominate factor linked to these “electronic break-ins” is 
system administrators who are not formally educated in computer 
security. Although highly publicized stories of "electronic break-ins", 
worms, and viruses have made some system administrators more security 
conscious, awareness of the problem is not enough. [Ref. 4] 


The phenomenon of widespread electronic intrusion is very 
recent. It is made possible by the proliferation of personal 
computers and their connection to electronic networks. Although 
technically sophisticated, intrusions are always the acts of human 
beings. Intrusions can be controlled by a combination of 
technical safeguards -- a sort of network immune system -- and 
hygienic procedures for using computers. But they cannot be 
eliminated. 


It would seem that some straightforward technological fixes 
would greatly reduce future threats. But technological fixes are 
not the final answer; they are valid only until someone launches 
a new kind of attack. [Ref. 5] 


The solution to minimizing these electronic intrusions and bolstering 
computer security in DoD 1s to educate military officers and federal civilians 
in the methods of computer security. This can be accomplished by integrating 
concepts and problem solving techniques related to computer security into the 
Information Technology Management (370) Curriculum at the Naval 
Postgraduate School. 


The following describes DoD's anxiety about system administrators' 
inability to safeguard electronic information, and proposes several cost 
efficient avenues to enhance the training of computer security in the 
Information Technology Management (370) Curriculum. This thesis will also 
serve as a computer security reference vehicle to facilitate faculty members in 


modifying their courses to encompass relevant security issues. 


B. SUMMARY OF CONTENTS 


This thesis contains seven chapters and three appendices, the following is 
a summary of the contents: 

Chapter I Introduction acquaints the reader with three highly 
publicized electronic break-ins and highlights DoD's anxiety about 
technically weak system administrators’ inability to protect sensitive 
electronic information. 

Chapter II Computer Security and DoD briefly describes what 
computer security 1s and what it entails. Introduces two U.S. Government 
Accounting Office (GAO) perceptions of system administrators, the current 
"local" computer security climate, and the need for computer security 
professionals. 

Chapter HI Cultivating Computer Security in DoD describes laws, 
acts, and technical publications that directly impact computer security within 
DoD. Proposes modifying an academic program at the Naval Postgraduate 
School to ameliorate DoD’s computer security problems. 

Chapter IV Analysis Methods describes the procedures and resources 


used in this thesis. 


Chapter V Summary of Findings summarizes the thesis research 
findings and the strengths and weaknesses of the current 370 Curriculum. 

Chapter VI Recommendations describes in detail seven 
recommendations for improving computer security. 

Chapter VII Conclusion; opinions. 

Appendix A Information Systems Courses reflects the comparison of IS 
courses with the (ISC)? information security certification format. 

Appendix B Computer Science Courses reflects the comparison of CS 
courses with the (ISC)? information security certification format. 

Appendix C Electro-Optical and Communication Courses reflects the 
comparison of EO and CM courses with the (ISCY* information security 
certification format. 


List of References lists the sources of information used. 


Il. COMPUTER SECURITY AND DOD 


A. WHAT IS COMPUTER SECURITY? 


In the aftermath of numerous “electronic break-ins” to sensitive 
government computers, the DoD has become acutely aware of its computer 
security inadequacies. In light of these recent events one must ponder the 
question, what exactly is computer security and what does it entail? 

Computer security is far more reaching than just protecting information 
systems from “electronic break-ins”. 


Computer security Is concerned with identifying 
vulnerabilities in systems and in protecting against threats to 
those systems...many computer users still don't really 
understand what computer security 1s--and why it should be 
important to them. Computer security protects your computer 
and everything associated with it--your building, your terminals 
and printers, your cabling, and your disks and tapes. Most 
importantly, computer security protects the information you've 
stored in your system. That's why computer security is often 
called information security. [Ref. 6] 


"Every computer system is vulnerable to attack". [Ref. 7] In order to 
protect this valuable information, first determine. where the system 15 
susceptible to intrusion, attack, or environmental danger. Once you have 
discovered the system's vulnerabilities, appropriate preventative measures 
can be taken. Typical areas of concern include: 


e Physical Vulnerabilities: Your buildings, your computer site 
and the associated peripherals are vulnerable. One of the primary 
functions of physical security is to restrict unauthorized access to 
the computer site and provide protection from damage caused by 
natural disasters. “Physical security methods include old 
fashioned locks and keys, as well as more advanced technologies 
like smart cards and biometric devices.’’[Ref. 8] 


e Natural Disasters, such as fire, floods, earthquakes, and other 
dangers due to natural forces can cause irreparable damage to 
computer equipment and even worse, a loss of valuable 
information. Although natural disasters are not preventable, steps 
can be taken to minimize the severity of the damage. 


° Software Vulnerabilities: Worms, viruses, trapdoors, and even 
simple bugs can open the system to electronic intruders. 


¢ Human Vulnerabilities: “The people who administer and use 
your computer system represent the greatest vulnerability of all. 
The security of your entire system is often in the hands of a 
systems administrator.” If that administrator is not properly 
trained or is unable to safeguard valuable electronic information, 
the system could be exploited and subjected to electronic 
terrorism or vandalism. [Ref. 9] 


B. DOD'S INTEREST IN COMPUTER SECURITY 


1. 1989 U.S. General Accounting Office Report 
DoD has become increasingly dependent upon storing its "sensitive 
information" in electronic form and naturally there is a deep concern for the 
integrity and privacy of this valuable information. 


Network intruders--some would call themselves explorers or 
liberators--have found ways of using networks to dial into remote 
computers, browse through their contents, and work their way 
into other computers. They have become skilled at cracking the 
password protocols that guard computers and adept at tricking 
the operating systems into giving them superuser or system 
manager privileges. They have also created worm and virus 
programs that can carry out these actions unattended and 
replicate themselves endlessly--electronic surrogates that can 
prowl the network independent of their creators. As electronic 
networking spreads around the globe, making possible new 
international interactions and breaching barriers of language and 
time, so rise the risks of damage to valuable information and the 
anxiety over attack by intruders, worms, and viruses. [Ref. 10] 


Representative Edward J. Markey, Chairman of the Subcommittee on 
Telecommunications and Finance (House Committee on Energy and 
Commerce), recognizing the devastating impact a malicious "Internet type" 
worm could have on DoD computers, asked the U.S. General Accounting 
Office (GAO) to conduct an intensive investigation focusing on DoD's 
inherent vulnerabilities regarding computer security. [Ref. 11] 

Hackers have been accessing and continue to gain access to sensitive 
networked DoD computer systems by exploiting system weaknesses. One of 
the most prevalent weaknesses mentioned in the 1989 GAO report was 
that host computer site system managers were technically weak and 
practiced poor security management techniques. The report states: 


Host computers are frequently administered by systems 
managers, typically site personnel engaged in their own research, 
who often serve as systems managers on a part-time basis. 


A number of Internet users, as well as NCSC and Defense 
Communications Agency virus reports, stated that the technical 
abilities of systems managers vary widely, with many managers 
poorly equipped to deal with security issues, such as the Internet 
virus. For example, according to the NCSC report, many systems 
managers lacked the technical expertise to understand that a virus 
attacked their systems and had difficulty administering fixes. 
The report recommended that standards be established and 
a training program begun to upgrade systems manager 
expertise. [Ref. 12] 


2. 1991 U.S. General Accounting Office Report 
On November 20, 1991 Jack L. Brock Jr., Director of Government 


Information and Financial Management Issues (Information Management and 


Technology Division) gave testimony before the members of the Senate 


Subcommittee on the vulnerabilities of DoD computer systems penetrated 
during Operation Desert Shield / Storm. Mr. Brock stated: 


Hackers continue to successfully exploit security weaknesses 
and undermine the integrity and confidentiality of sensitive 
government information. 


Between April 1990 and May 1991, computer systems at 34 
DoD sites attached to the Internet were successfully penetrated 
by foreign hackers. The hackers exploited well-known security 
weaknesses--many of which were exploited in the past by other 
hacker groups. These weaknesses persist because of the 
inadequate attention to computer security, such as password 
management, and the lack of technical expertise on the part of 
some system administrators--persons responsible for the 
technical management of the system. 


At many of the sites the hackers had access to unclassified, 
sensitive information on such topics as (1) military personnel-- 
personnel performance reports, travel information and personnel 
reductions; (2) logistics--descriptions of the type and quantity of 
equipment being moved: and (3) weapons systems development 
data. 


Although such information is unclassified, it can be highly 
sensitive, particularly during times of international conflict. 
Some DoD and government officials have expressed concern that 
the aggregation of unclassified, sensitive information could 
result in the compromise of classified information. 


..System administration duties are generally part-time 
duties and that administrators frequently have little 
computer security background or training. [Ref. 13] 


Both GAO reports express DoD's anxiety about system 
administrators" lack of technical expertise and their inability. to safeguard 


electronic information. 


3. Computer Security Climate 

To obtain a feel for the "local" computer security climate, interviews 
were conducted with the System Administrator/Automated Data Processing 
(ADP) Managers at two central California military installations to determine 
their computer security backgrounds and training. Research revealed that the 
system administrators received little if any formal education in the arena of 
computer security. For example, one of the ADP Manager's entire formal 
training consisted of a two day computer security course in San Francisco 
[Ref. 14]. The other ADP Manager had not received any type of formal 


computer security training to date [Ref. 15]. 


C. THE NEED FOR COMPUTER SECURITY PROFESSIONALS 

It is imperative that the concepts and issues of computer security be 
addressed if our goal is to protect the privacy, integrity and availability of 
sensitive government information from forms of electronic vandalism and 
terrorism. To accomplish this goal, attention must be focused on establishing 
an education program that will provide system administrators with the 
technical expertise to understand, administer, and make knowledgeable, 


informed decisions with regard to computer security. 


Ш. CULTIVATING COMPUTER SECURITY IN DOD 


A. SECURITY RELATED LEGISLATION 


Since the late 1950s, federal agencies have become increasingly 
concerned over the protection of sensitive electronic information. This 
concern has spawned numerous pieces of legislation aimed at security. Two 
recent pieces of legislation, the National Telecommunication and Information 
Systems Security Publication 200 (NTISSP 200) and the Computer Security 
Act of 1987, have had a profound impact on the delegation of computer 


security practices in DoD. 


1. NTISSP 200 


National Telecommunication and Information Systems 
Security Publication 200 (National Policy on Controlled Access 
Protection) defined a minimum level of protection for computer 
systems operated by Executive branch agencies and departments 
of the U.S. Government. The policy applies to any system 
accessed by multiple users who do not all have the same 
authorization to use all of the classified or sensitive unclassified 
information processed or maintained by the system. NTISSP 200 
stated that within five years of publication (1.e., by September of 
1992), the systems affected by the policy must provide 
automated Controlled Access Protection (CAP) for all classified 
and sensitive unclassified information at the C2 level of trust 


defined in the Orange Book.! [Ref. 16] 

The Orange Book is a technical publication, part of the Rainbow Series’, 
which defines trusted computer system evaluation criteria for systems 
requiring multiple levels of security. There are four basic divisions of trust, 
"1, Department of Defense Trusted Computer System Evaluation Criteria, Department of Defense Stan- 
dard (DOD 5200.28-STD) Library Number $225,711, December 1985. 


2. A series of technical computer security books published by the National Computer Security Center, 
each with a different colored covering, hence the name “Rainbow Series” 
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with each division further subdivided into one or more distinct classes. Each 


class is denoted with a number, where the higher numbers indicate a greater 


degree of security [Ref. 17]. In increasing order of trust, from lowest to 


highest, the classes are: 


D 

Cl 
C2 
Bl 
B2 
B3 
Al 


Minimal Protection 
Discretionary Security Protection 
Controlled Access Protection 
Labeled Security Protection 
Structured Protection 

Security Domains 


Verified Design 


How do you rate each of the aforementioned classes, and what are the 


associated requirements to achieve this rating? 


Each class is defined by a specific set of criteria that a system 


must met to be awarded a rating for that class. The criteria fall 
into four general categories: security policy, accountability, 
assurance, and documentation. [Ref. 18] Table 1 compares the 
Orange Book evaluation classes, showing the specific features 
required for each class and, in general terms, how requirements 
increase from class to class. [Ref. 19] 


ШІ 


Table 1: TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA 
СІ C2 BI B2 B3 AI 


Discretionary Access Control 

—= — 
fe 
ema —  — | 1— 
Брашна | | 
Биштов | 
Cag Homann Oumar — — | | — 


Subject Sensitivity Labels 


Security Policy 


Device Labels 


d Authentication 


Design Specification and Verification 


Covert Channel Analysis 


печка °| [|| 
Сепак маен ° | L | И 

u 
тыы» es 


Assurance 





| Documentation 





New or enhanced requirements for this class 





No additional requirements for this class 


No requirements for this class 
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2. Computer Security Act of 1987 

The Computer Security Act of 1987 holds each federal agency 
accountable for identifying computer systems that utilize sensitive data. The 
act also requires civilian, military, government employees, and others who 
directly interact with systems containing sensitive information to receive 
computer security training commensurate with their level of access. [Ref. 9] 

Since the government has over 50,000 sensitive systems, a new stock 
of questions emerge. Who will train this multitude of individuals needed to 
operate these systems, to what extent will they be trained, and how will their 


computer security training benefit the DoD? 


B. FORMAL COMPUTER SECURITY EDUCATION: TOWARD A 
CERTIFICATION FORMAT 


System administrators are chronically considered the weak link in 
the computer security chain. Their lack of formal and technical education in 
the arena of computer security is a dangerous situation, but this situation can 
be rectified. 

The Naval Postgraduate School (NPS) in Monterey, California, an 
institution dedicated to providing graduate level academic programs to meet 
the increasing technological and professional needs of the DoD, offers a viable 
solution. The Information Technology Management (370) Curriculum, an 
eight quarter interdisciplinary program of study, is designed to provide 
officers and federally employed civilians with a strong knowledge of 
information systems, emphasizing computer and telecommunication systems. 

With minor modifications and a moderate injection of computer security 


concepts and issues, the Information Technology Management (370) 
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Curriculum can become a beneficial vehicle for producing more 
knowledgeable and competent computer security "professionals". The 
modified curriculum can greatly contribute towards combating DoD's 
computer security problems. 

There are individuals in the computer industry who market themselves as 
"security professionals", but without the sanction of any recognized certifying 
group. A few certification programs lightly touch on security issues, but to 
date, there is no certification program dedicated totally to the issues of 
information security. [Ref. 20] 


The International Information Systems Security Certification 


Consortium-- or (ISC)* for short-- was created to develop a 
certification program for information systems security 
practitioners. In November 1988, the Special Interest Group for 
Computer Security (SIG-CS) of the Data Processing 
Management Association (DPMA) brought together 
organizations who were interested in creating a certification 
program for this community of specialists. The cooperating 
organizations include the Data Processing Management 
Association (DPMA), Information Systems Security Association 
(ISSA), Idaho State University, the National Security Agency 
(NSA), and the Computer Security Institute (CSI). Other groups 
--including the Canadian and U.S. Governments, the Canadian 
Information Processing Society (CIPS), and the International 
Federation for Information Processing (IFIO) have been 
represented at meetings and have been invited to participate. 
Representation from other interested and qualified bodies, 
including IEEE and ACM, is under consideration. [Ref. 21] : 


In 1991 (ISC)2 proposed the first formal certification program for 
computer security professionals. This certification reflects the current thought 
and future expectations of distinguished experts in the computer security field. 
[Ref. 22] 
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By extracting the (ISC)? certification format and injecting these concepts 
and issues into the existing 370 Curriculum, a new, enhanced curriculum will 
metamorphose. In this fast changing climate of high-technology, this 
curriculum will ensure the military has an ample supply of these top-level 
managers and supervisors who possess a solid background in the area of 


computer security. 


[5 


IV. ANALYTICAL METHODS 


The purpose of this thesis is to determine if relevant computer security 
concepts and issues were being addressed in the Information Technology 
Management (370) Curriculum and make recommendations to improve 
course content and the Curriculum. In order to determine which concepts and 
issues were considered relevant and if they were being addressed, several 
methods were employed: 


e Literature review (including academic and DoD publications on 
computer security). 


e Interviews with DoD ADP Managers. 


° Interviews with faculty from the Computer Science, 
Administrative Sciences, and the Electrical and Computer 
Engineering Departments. 


° Micro analysis of the 370 Curriculum from the viewpoint of 
computer security, utilizing the (ISC)^ certification format. 


A. LITERATURE REVIEW 


Initially, a comprehensive literature review was conducted to become 
familiar with the current computer security atmosphere and to form a 
knowledge base for further research. The computer library located in the 
Naval Postgraduate School's Ingersoll Hall, is a cornucopia of computer 
information. Some of the reference material utilized to assimilate information 
for the knowledge base includes; 


° Government Publications: The “Rainbow Series", Federal 
Information Processing Standards Publications (FIPS PUBS) 
and Government Accounting Office Reports (GAO) 


° Electronic Newsgroups: alt.security, comp.risks, comp.virus 
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e Anonymous File Transfer Protocol (FTP): Several documents 
were retrieved electronically from these addresses: 
cert.sei.cmu.edu, cu.nih.gov, cs.purdue.edu. 


e Computer Security Books: Computers under Attack: Intruders, 
Worms and Viruses by Peter Denning, Security in Computing by 
Charles Pfleeger, Computer Security Basics by Deborah Russell 
and G.T. Gangemi Sr., and Computer Security Handbook by 
Richard Baker. 


e Computer Security Professional Certification Format: 
International Information Systems Security Certification 


Consortium (ISC)? is the format used to evaluate each course in 
the 370 Curriculum. The result of the evaluation is reflected in 
Appendices A, B, and C. 


Once the information from the literature review was assimilated, and a 


through knowledge of computer security established. This newly gained 


knowledge base, along with the (ISC)* certification format was used as a tool 


to interview NPS faculty members. 


B. LOGICAL COURSE GROUPINGS 

To analyze the 370 Curriculum, it was necessary to segregate the courses 
into the following logical course groupings; Communications (CM), 
Computer Science (CS), Electro-Optical (EO), Information Systems (IS), 
Management (MN), Operations Science (OS), Mathematics (MA), and Naval 
Science (NS). Research revealed the MN, OS, MA, and NS courses were 
sufficiently devoid of the information applicable to computer security. Four 
course groupings: IS, CS, CM and EO were selected for analysis because 
they contained the bulk of the technical material in the 370 Curriculum and 
relate to computer systems. Once the areas for analysis were selected, the 


experts were interviewed. 
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C. INTERVIEWS WITH NPS FACULTY 


Faculty members representing the Computer Science, Administrative 


Science, and the Electrical and Computer Engineering departments were 


individually interviewed. Each interview revolved around four main issues: 


To what extent did the course address computer security 
concepts and issues? 


If the concepts and issues were not addressed, how easy would 
it be to incorporate the (15Су? format into the course? 


If the concepts and issues were addressed, how close did the 
content adhere to the (ISC)? format? 


If there were shortcomings in the amount of computer security 
issues addressed, where could improvements be made? 


Each emphasis area course within its respective department was reviewed 


for computer security related concepts or issues. Faculty members were 


encouraged to offer their opinions as to how the courses could be modified to 


adhere to the (ISC)* certification format. 


D. INTERVIEWS WITH DOD ADP MANAGERS 


Interviews were conducted with the System Administrator/Automated 


Data Processing (ADP) Managers at two central California military 


installations to determine their computer security backgrounds and training. 


Interview questions focused on; 


Personal Education: Did the individual have any previous 
computer experience, if so what type, and how much? 


Training: What type of computer security training had they 
received? What actions were taken to increase the staff’s 
awareness of computer security? What type of guidance did they 
receive (e.g. local instructions, Navy instructions, laws, etc...). 
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What were their future plans to increase computer security and 
computer security awareness at their site? 


E. COURSE ANALYSES 

Four logical course grouping areas of the 370 Curriculum; Information 
Systems, Computer Science, Communications and Electro-Optical were 
analyzed. Each course in the respective logical course grouping was 
scrutinized for relevant computer security issues using the (ISC)? certification 
format as a cross-reference. Each course fell into one of three categories, 
either the subject was addressed, the subject was not addressed but needs 


to be, or the subject was not relevant to the course. 
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V. SUMMARY OF FINDINGS 


Both the 1989 and 1991 GAO reports discussed in chapter 2,express 
DoD's anxiety about technically weak system administrator's inability to 
protect sensitive electronic information. Both reports recommend a formal 
training program be established to strenghten system administrator’s 
knowledge of computer security. 

Interviews with local ADP managers support the GAO’s findings that 
system administrators receive little if any formal computer security training. 
Although only a small portion of the ADP manager population was sampled, 
it was evident that formal computer security training had not been a 
prerequisite for the position. 


Faculty interviews along with course analyses indicate only one course, 


CS 4601 Computer Security, adheres closely to the (ISCY* certification 


format, and that computer security concepts and issues are sparse in other 


courses of the 370 Curriculum. Of the 298 topic items identified by the (ISC)^ 
certification format, 165 items are addressed in CS 4601 Computer Security, 
37 items are addressed in IS 4200 System Analysis and Design, 10 items are 
addressed in CM 3112 Navy Telecommunications Systems, and 6 items in CS 
2970 Structured Programming with Ada. Those courses that actually 
addressed computer security concepts or issues are highlighted in the current 


370 Curriculum matrix shown in Table 2. 
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Table 2: CURRENT INFORMATION TECHNOLOGY MANAGEMENT (370) 
CURRICULUM 


1 54 
Quarter 
2 nd 
Quarter 


4 th 
Quarter 


5th 
Quarter | 

6 th 
Quarter 

7 th 
Quarter 

8 th 
Quarter 


IS 2000 (3-1) 


Introduction to Computer f 


Management 


CS 3030 (4-0) 
Computer Architecture 
and Operating Systems 


— 154200 (4-0). 


3 га Е 
Quarter f- 


IS 3020 (3-2) 
Software Design 


IS 4300 (4-0) 
Software Engineering 
and Management 


MN 4125 (4-0) 

Managing Planned 

Change in Complex 
Organizations 


MN 3154 (4-0) 
Financial Management in 
the Armed Forces 


IS 4182 (4-0) 
Information Systems 
Management 


MA 1248 (4-1) 


Selected Topics in 


Applied Mathematics 


EO 2710 (4-2) 


Comm Systems I: 
Analog Signals and 
Systems 


EO 2750 (4-2) 

Comm Systems II: 

Digital Signals and 
Systems 


EO 3750 (4-0) 
Communications 
System Analysis 


NS 3252 (4-0) 
Joint and Mantime 
Strategic Planning 


CS 4601 (4-0) 


Computer Security — 


Elective 


OS 3101 (4-1) 
Stanstical Analysis for 
Management 


OS 3004 (5-0) 
Operations Research for 
Computer Systems 
Managers 


IS 4183 (4-1) 
Applications of 
Database Management 
Systems 


IS 4185 (4-1) 
Decision Support 
Systems 


IS 3502 (4-0) 
Computer Networks: 
Wide Area / Local Area 


IS 4502 (4-0) 
Telecommunications 
Networks 


MN 3307 (4-0) 
ADP Acquisition 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


т E 21 Navy: 


MN 2155 (4-0) 
Accounting for 
Management 


MN 3105 (4-0) 
Organization and 
Management 


IS 3170 (4-0) 
Economic Evaluation of 
Information Systems I 


IS 3171 (4-0) 
Economic Evaluation of 
Information Systems II 


| CM 3112 (4- 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 





For a detailed analysis of how well each course paralleled the relevant 


computer security concepts in (ISC)’ certification format see the following 
appendices. [Ref. 20] 
e APPENDIX A 


° APPENDIX B 
° APPENDIX C 


Information Systems Courses 
Computer Science Courses 


Electro-Optical and Communication Courses 
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In order to help decipher the appendices, a small sample is provided in 


Table 3. 


Table 3: APPENDIX LEGEND 

ж. И = ЕЕ 
COMPUTER SECURITY CONCEPTS AND ISSUES zo rm qos 

араар 
I Overview афи ЧН ЩИ Ы 
ü; n | 
i meo Open toa Su PS — —as ms Ts 
Че ое  —  . 
Reason for a organizational security management policz] Sa NN 
т == 0 0 Dia ni non |n НИИ 
ú lll b bi NH 
р ны 
+ (мај 


LOU ( 
ы! d | | 
















The concept or issue is currently addressed. 
The concept or issue is not currently addressed, but needs to be. 


= The concept or issue is not relevant to the course. 


po 


VI. RECOMMENDATIONS 


Research indicates that the current 370 Curriculum needs a moderate 


injection of additional computer security topics to emulate the (O) 
certification format. Several recommendations for modifying the 370 
Curriculum follow: 

Recommendation 1: Modify the 370 Curriculum to allow students 
to specialize in a particular area of interest. The curriculum would be divided 
into three subspecialty areas called "Emphasis Tracks" as follows: 

e Computer Security Emphasis Track 
e Telecommunications Networks Emphasis Track 
* Information Resource Management Emphasis Track 

Each “Emphasis Track” would have one or more mandatory required 
courses and a variety of elective courses to choose from. The 370 Curriculum 
currently provides only one elective choice for students. The flexibility of 
being able to select from a variety of elective courses would allow the 
individual to tailor the curriculum to their particular field of interest. To 
promote this flexibility, two additional elective slots can be realized with the 
elimination of MN 4125 (Managing Planned Changed in Complex 
Organizations) and IS 3171 (Economic Evaluation of Informations Systems 


II). Examples of each Emphasis Track are provided below: 


a. Computer Security Emphasis Track 
Required Courses: 


IS 3220 - Computer Center Management 


IS 4xxx? - Risk Analysis and Disaster Recovery Planning 
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Elective Courses: 

CS 4602 - Advanced Computer Security 

15 3000 - Distributed Computer System 

15 3503 - Micro-Computer Networks 

[5 4184 - Information Resource Management in DoN/DoD 

15 4186 - Knowledge-Based Systems and Artificial Intelligence 
MN 4125 - Managing Planned Change in Complex Organizations 
OS 3404 - Man-Machine Interaction 


b. Telecommunications Networks Emphasis Track 


Required Course: 

IS 3000 - Distributed Computer System 

Elective Courses: 

IS 3220 - Computer Center Management 

IS 3503 - Miucro-Computer Networks 

15 4184 - Information Resource Management in DoN/DoD 

5 4ххх - Risk Analysis and Disaster Recovery Planning 

MN 4125 - Managing Planned Change in Complex Organizations 
OS 3404 - Man-Machine Interaction 


c. Information Resource Management Emphasis Track 
Required Courses: 
[5 4184 - Information Resource Management in DoN/DoD 
Elective Courses: 
IS 3000 - Distributed Computer System 
[5 3220 - Computer Center Management 


3. IS 4xxx Risk Analysis and Disaster Recovery Planning is a course that would have to be developed. 
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5 3503 - Micro-Computer Networks 

IS 4xxx - Risk Analysis and Disaster Recovery Planning 

MN 4125 - Managing Planned Change in Complex Organizations 
MN 4105 - Management Policy 

OS 3404 - Man-Machine Interaction 

Recommendation 2: Eliminate the IS 3171 (Economic Evaluation 
of Informations Systems IT), MN 3154 (Financial Management in the Armed 
Forces), and MN 4125 (Managing Planned Changed in Complex 
Organizations) courses from the 370 Curriculum and replace them with 
emphasis track electives. Split the CS 3030 Computer Architecture and 
Operating Systems course into two courses. One course would consist of 
primarily computer architecture, CS 3010, and the other course would consist 
primarily of operating systems, CS 3030. 

The benefit of splitting the current CS 3030 Computer Architecture and 
Operating Systems course into two separate course will allow the instructors 
more time to present the material in greater detail as well as inject more 
security related issues. The only benefit of not splitting CS 3030 is that it 
would make room for a fourth Track Elective. Two curriculum matrices are 
shown in Tables 4 and 5. Table 4 reflects CS 3030 being split and Table 5 
reflects CS 3030 not being split. 
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I st 
Quarter 
2nd 
Quarter 
3rd 
Quarter 
4th 
Quarter 


5 th 
Quarter 

ба Fo Т 
Quarter FE. i 


8 th 
Quarter 


ELIMINATED AND CS 3030 SPLIT 


IS 2000 (3-1) 
Introduction to Computer 
Management 


CS 3010 (4-0) 


Computer Architecture 


IS 4200 (4-0) 
System Analysis and 
Design 


IS 3020 (3-2)) 
Software Design 


IS 4300 (4-0) 
Software Engineenng 
and Management 


0 


Information Systems 
Management 


CS 2970 (4-1) 
Structured Programming 
with Ada 


MA 1248 (4-1) 
Selected Topics in 
Applied Mathematics 


EO 2710 (4-2) 

Comm Systems Í: 

Analog Signals and 
Systems 


EO 2750 (4-2) 

Comm Systems II: 

Digital Signals and 
Systems 


EO 3750 (4-0) 


Communications 
System Analysis 


NS 3252 (4-0) 
Joint and Mantime 
Strategic Planning 


CS 4601 (4-0) 


Computer Secunty 
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Track Bective, 


OS 3101 (4-1) 
Statistical Analysis for 
Management 


OS 3004 (5-0) 
Operations Research for 
Computer System 
Managers 


IS 4183 (4-1) 
Applications of 
Database Management 
Systems 


IS 4185 (4-1) 
Decision Support 
Systems 


IS 3502 (4-0) 
Computer Networks: 
Wide Area / Local Area 


IS 4502 (4-0) 
Telecommunications 


Network 


MN 3307 (4-0) 
ADP Acquisition 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


Table 4: MATRIX WITH IS 3171, MN 3154, AND MN 4125 


MN 2155 (4-0) 
Accounting for 
Management 


MN 3105 (4-0) 
Organization and 
Management 


IS 3170 (4-0) 
Economic Evaluation of 
Information Systems I 


CS 3030 (4-0) 
Operating Systems 


CM 3112 (4-0) 
Navy 
Telecommunications 
Systems 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 





Table 5: MATRIX WITH IS 3171, MN 3154 AND MN 4125 ELIMINATED AND 


1 st 
Quarter 


2nd 
Quarter 

3rd 
Quarter 

4th 
Quarter 


5th 
Quarter 


6th | 
Quarter 5 

7 th š 
Quarter Wu нады 


8 th 
Quarter 


IS 2000 (3-1) 
Introduction to Computer 
Management 


CS 3030 (4-0) 
Computer Architecture 
and Operating Systems 


IS 4200 (4-0) 
System Analysis and 
Design 


IS 3020 (3-2)) 
Software Design 


IS 4300 (4-0) 
Software Engineering 
and Management 


Track Elect 


Track Elective 


IS 4182 (4-0) 
Information Systems 
Management 


CS 2970 (4-1) 
Structured Programming 
with Ada 


MA 1248 (4-1) 
Selected Topics in 
Applied Mathematics 


EO 2710 (4-2) 
Comm Systems I: 
Analog Signals and 
Systems 


EO 2750 (4-2) 

Comm Systems Il: 

Digital Signals and 
Systems 


EO 3750 (4-0) 


Communications 
System Analysis 


NS 3252 (4-0) 
Joint and Mantime 
Strategic Planning 


CS 4601 (4-0) 
Computer Security 


Track Elective | 


WITHOUT CS 3030 SPLIT 


OS 3101 (4-1) 
Statistical Analysis for 
Management 


OS 3004 (5-0) 
Operations Research for 
Computer Systems 
Managers 


IS 4183 (4-1) 
Applications of 
Database Management 
Systems 


IS 4185 (4-1) 
Decision Support 
Systems 


IS 3502 (4-0) 
Computer Networks: 
Wide Area / Local Area 


IS 4502 (4-0) 
Telecommunications 
Network 


IS 0810 (0-0) 


Thesis Research for 
Information Technology 
Management Students 


MN 2155 (4-0) 
Accounting for 
Management 


MN 3105 (4-0) 
Organization and 
Management 


IS 3170 (4-0) 
Economic Evaluation of 
Information Systems I 


MN 3307 (4-0) 
ADP Acquisition 


CM 3112 (4-0) 
Navy 
Telecommunications 
Systems 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 


IS 0810 (0-0) 
Thesis Research for 
Information Technology 
Management Students 





Recommendation 3: Establish an advanced computer security 
course as an elective for those individuals desiring to gain expertise in 
computer security. Academic objectives would include an understanding of: 


e the fundamental models involved in multilevel security. 


* how the fundamental models used in multilevel security are 
implemented in the design of a secure computer system. 


° the advancements and limitations of computer security 


2] 


technology in the areas of multilevel databases, networks and 
distributed systems. 


the various roles encryption plays in the development of secure 
network protocols and remote access control. 


the DoD requirements for trusted systems and the verification 
process. 


Recommendation 4: Establish a Disaster Recovery and Planning 


course IS 4xxx, which would include: 


current theoretical foundations for conducting risk analysis. 
an introduction to automated assessment tools. 
an introduction to current guidelines and directives. 


analyses of case studies. 


Recommendation 5: Establish a computer security laboratory, 


which would allow students to apply theoretical concepts. This lab would 


include: 


quarantined systems which would allow students to experiment 
with viruses without infecting other computers. Students could 
monitor the life cycle of viruses along with evaluating different 
anti-virus software packages. 


computers with communication software that would allow 
students to gain experience using both private and public key 
encryption protocols and permit them to conduct fundamental 
penetration testing. 


TEMPEST equipment to monitor electronic emanations from 
computer systems, peripherals, and conductors. 


a Honeywell Information System Secure Communications 
Processor (SCOMP). The SCOMP is the only system to date that 
has received an Al Orange Book security rating. The SCOMP 
would provide students a vital research tool to explore multilevel 
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security issues. 


° various biometric devices that measure human body 
characteristics used in computer security such as: retinal patterns, 
fingerprints, handprints, voice patterns, keystroke patterns, and 
signature dynamics. The Naval Postgraduate — School's 
Operations Research Department has an excellent biometrics 
laboratory which could be used as an annex of the computer 
security laboratory. 


Recommendation 5: Provide adequate funding in order to support a 
quarterly seminar program in which visiting specialists from both government 
and civilian sectors could address students and faculty concerning new 
technologies, products and policies. 

Recommendation 6: Restructure the IS 2000 Introduction to 


Computer Management course to include high level coverage of material 


delineated in the (ISC)? certification format. This would expose new students 
to the importance of computer security early in the curriculum and thereby 
foster a basic understanding and appreciation of concepts that will be 
introduced in subsequent courses. 

Recommendation 7: Use the Appendices A, B, and C as a computer 
security reference to help guide faculty members in modifying their courses to 


include relevant computer security topics. 
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VII. CONCLUSION 


DoD has become increasingly dependent upon storing its sensitive 
information in electronic form and naturally there is a deep concern for the 
integrity and privacy of this valuable information. In the recent aftermath of 
numerous electronic break-ins, the DoD continues to express anxiety over 
technically weak system administrators’ inability to protect sensitive 
electronic information. 

A significant step in minimizing electronic intrusions and bolstering 
computer security in DoD is to educate military officers and federal civilians 
in the latest technology and administrative controls available to enhance 
computer security. This can be accomplished by modifying the Information 
Technology Management (370) Curriculum at the Naval Postgraduate School 
to adhere to the proposed recommendations. 

In order to further enhance the Information Technology Management 
(370) Curriculum at the Naval Postgraduate School, and strengthen the 
graduate's knowledge of computer security, it is imperative that the 370 
Curriculum be revised to meet the needs of DoD in this rapidly changing 


technology. 
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APPENDIX A 


Table 6: Information Systems Courses 
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COMPUTER SECURITY CONCEPTS AND ISSUES 
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5. Water exposures and problems 


6. Fire prevention 


7. Fire protection 


8. Tape and media libraries; retention policies 


9. Waste disposal 


10. Off-site storage 
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EO 3750 
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c. Microcomputers/office automation 


ei ие | 
separation oF aes TL. 


3. Controls at interfaces 


4. Media controls 


5. Backup procedures 


6. People controls 


F. Contingency Planning 


1. Backups and procedures 


a. Data 


b. Manuals and documentation 


c. Equipment 


1. Air conditioning 


2. Uninterruptible power supply 


2. Catastrophe planning 
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COMPUTER SECURITY CONCEPTS AND ISSUES 


EO 2710 
EO 2750) 


' [EO 3750 


a. Stages in a disaster 


b. Planning and response teams 


c. Testng plan 


. Communication of plan - 


x 
ы. 


| 
| 
mm 
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.3. Security and controls in off-site backup and facilities | 


Business and DP insurance 






5. Software escrow arrangements 


V. Safeguards: Security and Control Measures, Technical 


A. Hackers and reality: Perception of Risk 


B. Communications and Electronic Exposures 


1. Locus of attack 


a. Terminals 


E 
E 
№. 


b. Hosts 


Ls 
vj 
rj 

В + 


c. Front-end processors 


+ 
Li 
һы 

ш + 


d. Gateways + 


2 
іні 
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e. Links 


4+ 
ГУ 
bd 

+ 


+ | | BÀ ња ü 


f. Switches (multiplexors, packet switching, etc.) 


4 
Ей 
= 


g. Special problems with intelligent workstations 


+ 
" 
F. 


2. Types of attack 


а. Passive: disclosure; traffic analysis; add/remove nodes [Ry E 
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COMPUTER SECURITY CONCEPTS AND ISSUES 

















EO 3750 


EO 2710 
ТЕПЕ 


|ЕО 2750 





. Active: modification; insertion; deletion; replay 


q| E 
ЕЗІН 
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a + 





. Electronic - 


си? 
ur ore 


a. Incoming: interruptions; static; FRI; EMP | | + vel >< 


7 
p оо 
Го ба ШГ 


| c. Solutions: shielding “ШИ 
| 


4. Communications 


а О ИВ 
О Jt: 


b. exposures incoming: noise and interference + ВМ + 


c. Exposures outgoing: interception, replacement + ТІП Z 


is Te" e ete 


56656 


d. Solution: physical measures 





+ 
d 
k... 

E 


іы ы (|ы: 


e. Solutions: encryption + [3 







f. ISO OSI communications standards + ІШ 


5. Network design 


a. Design considerations 


. Integration of countermeasures into network 


design: cryptographic checksum; time stamp; 


Bell/LaPadula model 


2. Integration of countermeasures into protocollayers: | | | 


link level encryption; end-to-end encryption 
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ur un» 
COMPUTER SECURITY CONCEPTS AND ISSUES EEE т 
| [ede P 
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1. Concept of trust | 


О 2710 


Е 





2. Degrees of trustworthiness 





5. Formal specification — i v 


6 виа — — — — - [IL] 
mE еее Y 
[C Ewmm _ О О Я 
ШЕЕСЕТ оа 


1. Definition (plaintext, ciphertext; encryption/decryption) 


2. Public key and private key 





4. Link level, end-to-end 


5. Block mode, cipher block chaining, stream ciphers 


Es 
FI 
Е 

Bs 


(synchronous and self-synchronous) 






6. DES,RSA 


n 
Е 
= 


7. Cryptanalysis and strength of ciphers (theoretically secure 


F 
"m 
ba 


computationally secure) 


8. Advantages and disadvantages 


E 
Ж 
вы 


D. Software and Operating System Controls 


| 1 | РЕ j | ESS Ra | | 


1. Secure operating systems 


Table 8: Electro-Optical and Communication Courses 
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d. Design principles fro secure systems | == 


l. Least privilege 


а 
— | 
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2. Opendesign 


3. Fail-safe defaults 


4. Economy of mechanisms 


5. Naturalness (human factors) 


6. Continuous protection 


e. Common penetration methods and countermeasures 


1. Trojan horse; virus; worm; salami; piggyback; 





т 
ж 
ЕЈ 
Ей 
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deception; human compromise; etc. 


2. Controls on changes; audit trails; program library; | | | 


code comparison; checksums and encryption; Ш 


vaccines and antiviral agents; access control; etc. | | | 


2. Access control 
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COMPUTER SECURITY CONCEPTS AND ISSUES 


EO 2750 
EO 3750 


а. Discretionary access control 


—— Eo 2710 


1. Subjects and objects 


| 


2. Access privileges 


3. Grantüng/revoking of privileges — 


| 
| 
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4. Access control lists 


5. Capabilities, descriptors 


A mer NAT m) em] ep ш јин esp qm p NN ШЕЕ ТЕ Ж wer Tu ко 


6. Supervisor states, rings, domains 


b. Non-discretionary access control 


1. Labels on subjects, objects 


2. Rules for reading, writing 


3. Software Controls: Development 


a. Thereal problem: bugs 


b. Software engineering principles: layering, modularity ИШ 


C. Structured methods 


d. Formal specification and verification 


e. Program library/librarian 


f. Data dictionary as a control 


g. Conversion and implementation 


4. Software controls: Maintenance 


a. Separation of duties 


Table 8: Electro-Optical and Communication Courses 
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| | ' | 

J b. Testing controls — hall at n 
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5. Assurance | ИШЕ 
| a. Integrity 


| = Та 
шш ес е a 
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c. Specification/verification 





| 
| 
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d. Facility management 


e. Diusaster/conüngency 


f. Compliance/degree of trust 


E. Database systems security 


l. Overview 


a. Review of basic concepts of information protection — 


b. Roleof information protection in database systems 


2. Threats 


a. Direct disclosure of data 


b. Modification of data/tampering with data 


c. Inference 


d. Aggregation 


e. Trojan horse 
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f. Covert disclosure of data i 


| 3. Policy/mechanism ' vm 
m MC L— | - E 
a. Policy versus mechanism ! E а 
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Access controls | Мы 


Access right and privileges 
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2. Access control policies 


3. Granularity 


4. Labels 


5. Access control mechanisms 


c. Inference controls 


d. Integrity controls 


1. Integrity policy 


2. Integrity mechanisms 


e. Accountability controls 


1. Identification and authentication 


2. Audit 


4. Design issues 


a. Protection Approaches 


1. Trusted kernel 


2. Trusted filter 
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b. Fraud 






ЕО 3750. 


“ТСМ 3112 


c. Physical abuse 


d. Misuse of information 


e. Sabotage 


2. Lawsas tools for computer security 


a. Privacy laws and legislation 


b. Intellectual property laws 


1. Copyright law 


2. Trade secret law 


3. Patent law 
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COMPUTER SECURITY CONCEPTS AND ISSUES 


4. Trademark law 


TRO 3750 


| {EO 2710 
| [EO 2750. 


x 


c. Federal laws (esp. Computer Security Act 1987) 


d. State statutes nm 


e. DPMA Model Computer Crime Bill 






. Computer crime legislation in other countries 


3. Legislation as legal options to control computer crime ДЕР 





a. License agreements (consumer license agreements) МЕТ 


b. permanent license agreements 


c. Intellectual property rights 


ЕЗ 
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d. Employee non-disclosure considerations 


e. Contracts 


l. Software development contracts 


2. Legalaspects of software purchasing 


3. Leasing contracts 


. Warranties for software and hardware 


4. Control of strategic materials 


5. Fraud and crime prevention and detection 


6. Investigation; evidentiary trial 


B. Ethics and professionalism 


1. Ethical decision-making 
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| 2. Professional societies | | 





a. British Computer Society | 
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2. DPMA Canada 
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d. Computer Professionals for Social Responsibility 


e. EDP Auditors Foundation 


3. National Computer Security Center 


4. National Bureau of Standards 


5. Certificate in Data Processing(CPC); Certified Information m 


Systems Auditor(CISA) 


uidelines 
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А. Accounting and auditing 


. Computer Control Guidelines 


a. Responsibility for Control 


b. Information Systems Development and Acquisition 


c. Information Systems Processing 


d. Segregation of Incompatible Functions and Controls | | | 
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Application Controls 
2. Information systems audit 


а. Security review objectives 
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